Your worst enemy could very well be inside your network. We'll show you how to prevent insiders from sharing your most critical data.

Your problem might not be a hacker trying to break into your network: It could be Jim in engineering, or Steve in sales--maybe even Cindy in production. Your employees could be snatching intellectual property and e-mailing it to competitors, or they could be inadvertently sending out confidential customer information.

Employees who deliberately or unwittingly leak confidential information outside corporate confines pose a huge threat--one that businesses might overlook. This kind of data seepage can cost an organization millions of dollars and cause irreparable damage to its reputation.

According to a 2005 U.S. Secret Service and Carnegie Mellon's Software Engineering Institute study of insider breaches in critical infrastructure sectors, 81 percent of such breaches resulted in financial losses ranging from a $500 to "tens of millions of dollars." Additionally, 28 percent of the respondent organizations said their reputation was hurt by the breach.

The complexity of today's computing environments, with business networks becoming larger and more porous, is exacerbating the insider threat. What used to be the network perimeter is essentially a borderless mesh of connectivity for applications, telecommuters, business partners and customers. Adding to the problem is the untracked decentralization of information storage in files and databases across many systems. Spreadsheets, word processing documents and other files are not only stored on server shares and local user folders, but are strewn across messaging systems, mobile devices and local workstation folders. Maintaining proper access control on this information is nearly impossible.

Now, in this age of rogue and careless insiders with immeasurable access, network managers--and even many business executives--are taking a closer look at their

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

So before your network springs a leak, here are several technologies to consider for keeping your most valuable data secure.

Checking the Pipes
Products providing insight into network activity under the guise of content filtering have been around for years. These products monitor e-mail, Web and other system usage to keep malware from entering the network, and block or flag inappropriate use to ensure employee productivity. But, emerging technologies allow you to peek into what's really going on inside your network to detect and even prevent information leakage.

[TABLE] There are more than a dozen vendors in the network content monitoring space, each with products that monitor Web, messaging, peer-to-peer, streaming media and other traffic. They identify breaches and suspicious usage based on pre-selected and customizable network protocols, traffic patterns and file types in communication streams. Some tools analyze words and groupings of words for suspicious activity, while others can determine the context of what's being done with files. Many look for binary signatures of sensitive information and files rather than relying on filenames and extensions, which can easily be removed, renamed, or otherwise obscured. Some even analyze network traffic patterns and build a big-picture vision of suspicious behavior, alerting security administrators to top talkers--computers, applications or users generating the most network traffic--and protocols in use.

By using sophisticated linguistic analysis, network content-filtering technology has advanced beyond regular expression and keyword analysis so it can analyze derivative content, says Trent Henry, senior analyst with the Burton Group. These tools are beginning to feature automatic content discovery capabilities, which eases administration, he adds. With key word or expression analysis, a fair amount of effort is required by an IT group to determine the sensitive information and its characteristics, and then set up the monitoring and associated policies. With automatic content discovery, the tools understand directory systems to pull in user and group information, and crawl through an organization's "information landscape." The tools can look in important file systems, document management systems or databases to identify information as sensitive, Henry says.

Many network-based content filtering products perform passive monitoring and can report back on suspicious activity, such as Jim e-mailing project designs to his Yahoo account or Steve mistakenly sending out customers' personal data. Others perform active monitoring and leakage prevention by blocking traffic and quarantining files. By taking a proactive stance and preventing questionable or malicious be-havior from taking place, the benefits are similar to that offered by IPS. This content-monitoring option will likely prove to be the most valuable long-term, especially for security policy enforcement and regulatory compliance management.

Several products also have built-in and customizable regulatory compliance and security policies that can be tweaked for your specific network environment and business needs. If audit log retention is required by the business--public companies covered by SOX, or organizations in the securities industry--most content monitoring options provide system activity logging.

Another method for detecting nefarious insider behavior and computer misuse is host-level content monitoring, which uses agent software to track computer, OS and application operations, enforce applicable security policies, and warn users of violations. Vendors in this category include ControlGuard, Orchestria, Oakley Networks and Verdasys, among others.

[TABLE] At first, it appears that host-level control may be more difficult to deploy and require more resources to manage than network-based products, but it does have a major benefit: the ability to monitor at the desktop level, which is the launching pad for wayward behavior. An ideal setup would be to have both network and host-based protection guarding local usage and network transmission in a layered approach, as in the case of the Tablus and PortAuthority offerings.

According to Henry, host-based behavioral analysis tools can see information in plain text on the host, giving them an advantage over network content filtering, which can't inspect encrypted content. Some vendors have plans to add the ability to monitor encrypted traffic, but it's a difficult problem to solve, he adds.

Alternative Measures
Other security products don't necessarily fall into the same context as content monitoring and information leakage solutions, but can contribute to the overall protection of sensitive information. These include messaging firewalls such as Akonix's L7, IMLogic's IM Manager, CipherTrust's IronMail and NetIQ's MailMarshal, which can be configured to filter inbound and outbound e-mail and instant messages for sensitive information. Obviously, these types of systems won't detect and protect against misuse in other network systems and protocols, but a very large portion of insider abuse takes place inside messaging applications.

There are also dedicated forensics analysis and replay products such as Niksun's NetVCR and NetDetector, and Sandstorm Enterprises' NetIntercept that can help. These tools not only provide security surveillance and proactive system analysis of Cindy's suspicious activities, but can record network traffic and serve as strong forensics investigation tools with their anomaly detection and session reconstruction capabilities.

And, don't overlook the value of encrypting information for securing confidential data. This is especially true for sensitive databases, files and mobile computer storage such as laptop hard drives and PDAs--just don't get caught up in the hype that encryption solves all security problems. Most insider breaches result from users like Jim having authorized and legitimate access to sensitive information-- something that encryption is not going to help protect against. Also, information encrypted during transit does nothing to protect data once it's stored on internal systems. In fact, encrypting information in transit may only serve to cover up what a malicious insider is doing.

Technically speaking, it wouldn't be impossible to utilize a host or network-based intrusion detection system--especially when combined with an event correlation system--to obtain similar information protection results as dedicated content-monitoring solutions.

Pros and Cons of Monitoring
In order for most security policies to be effective, they need to be enforced with technical safeguards. Content-monitoring solutions offer a great deal of benefits for anyone involved with protecting sensitive information. Investment in one of these products can:

[TABLE] Content-monitoring products can serve as the last layer of security control to help organizations enforce their own internal security policies. These products also help with the never-ending growth of security and privacy-related regulatory requirements.

As with most technologies, there are some downsides. The first is cost: A full-blown content-monitoring product system ranges from a few thousand dollars to more than $100,000, based on the number of dedicated appliances, remote sensors and users. Additional downsides include: Finally, a lot of value can be obtained by simply locating and properly classifying your sensitive information, either by manually taking inventory or utilizing an automated product such as Google's Search Appliance or StoredIQ's Information Classification and Management Platform. You can then lock information down where it resides using widely-accepted security hardening techniques and layered defenses built right into your OSes and applications--including solid access controls, strong file permissions and least-privilege user accounts.

It Really is a Business Issue
There's a common belief held by upper management: "We're not at risk." But excuses like, "We cannot fix what we don't acknowledge," and "I don't know what I don't know," are no longer valid.

[TABLE] Whether insiders are malicious or simply making mistakes, you've got a network full of proprietary information your organization cannot afford to have compromised. From corporate trade secrets to financial reports to private employee and customer information, once sensitive information is gone, there's no getting it back. Although major damages are more the exception than the rule, most organizations cannot afford even the most basic information leak. And, technology won't solve this problem by itself.

In the quest to protect your organization from insider threats, you must have executive buy-in, and responsibility and accountability also need to be placed in the hands of network users.

This involves management supporting and posting security policies and then effectively communicating to employees the standards to which they're being held. This must take place over and over again to be effective. Technical solutions such as content monitoring products are merely a means to that end--not the end itself.

But implemented for the right reasons and in the right way, these technologies can serve as a great monitor to ensure that your most critical data isn't dripping out of your network.